Cyber insurance and the ransomware revolution

Is now a good time to underwrite cyber business? It rather depends on your perspective, with several positive and negative trends weighing for and against this still relatively new class of business.

The market for insuring cyber risks is under strain from a rising claims bill in recent years. Traditional lines of business are keen to divest so-called silent cyber business, providing additional demand. Rates are increasing, thanks to hard market conditions. And a rising tide of ransomware threatens to move profits from underwriters to hackers and cyber-criminals.

The wave of ransomware attacks has included some high profile targets. On 7 May, cybercriminals shut down the Colonial Pipeline, supplying 45% of the oil used by America’s east coast, for five days. A $4.4mn ransom was demanded by a group of attackers calling themselves “DarkSide”. Colonial paid up, with about half of the ransom payment, in Bitcoin currency, subsequently recovered by US authorities.

And insurers themselves have been targeted by ransomware in 2021, including an attack against US insurer CNA, which reportedly paid a $40mn ransom to criminals in March to make the attack go away. The Asian arm of France’s largest insurer AXA has also been targeted, it seems – ironically, shortly after the company changed its underwriting policy, saying it would no longer pay claims to reimburse the cost of ransoms.

The hackers are becoming increasingly collaborative in these ransomware attacks, according to a recent report from San Francisco-based analytics firm CyberCube concluded, mirroring the organised crime world of drug cartels by organising themselves into loosely-affiliated groups.

It has also spawned ‘ransomware as a service’, aping the business models of the fintech world, whereby criminal sites, such as DarkSide, hire out ransomware capabilities, or act as broker, for a cut of the profits.

“Claims have multiplied since 2019, which is largely driven by ransomware,” says Jack Hammond, a partner in McGill and Partners’ Cyber team. “Ransomware is a profitable business, and some of that money is being invested in better technology with which to attack other companies, so this isn’t going away anytime soon.”

Insurers’ losses have been ransomware criminals’ gains. The CyberCube report said that cybercriminal cartels behind ransomware attacks in 2021 will be responsible for the majority of attritional losses in the insurance market, and potentially even aggregation events.

It is aggregation risk which troubles insurers and reinsurers most, with unplotted correlations between classes of business the proverbial bogeyman which leads to unsustainable, catastrophic losses.

This fear was at the heart of a recent US cyber risk report from insurance credit rating agency AM Best. The rise in ransomware attacks bodes “grim prospects” for US cyber underwriters (the market with highest penetration), the ratings firm predicted, while aggregation risks mean that cyber risks are increasingly pervasive, heaping sustainability questions for the insurance market.

The AM Best report warned that the fast-changing risk landscape for cyber insurance has outpaced insurers’ consideration of the underwriting risks they are taking. Cyber insurance has been seen by insurers as a diversifying side-line, AM Best argued, with products focused primarily on data breaches. However, by 2021 the reality is that ransomware has emerged as a new threat, and cyber has become a headline risk for the commercial insurance buyers and risk managers on the frontline.

“Aggregation risk, or systemic risk, is a problem for many markets, including cyber,” says Alistair Clarke, team leader of Aon’s cyber and commercial E&O team “This market has grown quickly but it’s increasingly obvious it is a challenge that we collectively need to solve.”

The loss ratio for cyber insurance increased for 15 out of the 20 largest US cyber insurers in 2019, rising to 67.8% on average from 44.8% the previous year. First-party ransomware claims were up 35% in 2020, accounting for 75% of cyber claims by the start of this year, AM Best noted.

The insurance market has several ways of dampening the effects of the concerns addressed in the AM Best report. Firstly, hard market pricing will partially offset claims, along with the tightened terms and conditions, pickier risk selection, and profit-minded capital deployment that traditionally goes along with any turn in market rates.

“Rates are increasing dramatically,” says Hammond. “There are 40% increases on clean accounts without claims, and a lot more on some others that have either suffered significant claims or for businesses with cyber controls seen to be weaker than insurers would like, with issues like multi-factor identification increasingly expected to be the norm.”

Brokers are occupied with getting more and better data from their clients to underwriters, in order to secure better terms.

“The standard has always been high, but underwriting requirements have increased, and the amount of data underwriters require has increased,” says Hammond. “It can take time, working within various departments of complex organisations, to collate all that information. We’re also trying to make clients understand the benefits of providing all this information to try to secure better terms, more capacity, or less of a rate increase.”

In the Lloyd’s market, home to many cyber risks, Hammond notes a few other carriers and managing agents that had started underwriting cyber risks have backed away from the business, but that they have been replaced by others, keen to provide capacity to grab the hard market pricing opportunities.

For annual business plans at Lloyd’s – set with strict ceilings on premium volume – this means some syndicates are having to resubmit their plans because they are fast using up their annual allowances with the year only halfway through. This means careful risk selection and prioritising quality business, but most will also go back to Lloyd’s to ask for a higher ceiling to get the most out of the higher premium that results from a hard market pushing up pricing on individual policies.

“Most of the large syndicates are going back to Lloyd’s to get permission to increase premiums income limits,” Clarke says. “Past performance will provide greater flexibility, so it will be easier for some than for others.”

For those new to the cyber market, this is a great time to underwrite it, or at least better than for rivals who have seen claims rise from prior years when rates were a fraction of those being charged today.

“If you’ve got no legacy claims, premiums are high and increasing, so this is a great market,” says Hammond. “For those insurers in the market for some time, this is a coming of age moment for cyber. Rates are going up, but claims are still developing. This is a market predicated on a changing risk. Technology changes all the time, and controls that are adequate now, might not be adequate within a year’s time.”

However, the fast-moving nature of the cyber market might also mean that underwriters can at least plan their underwriting appetite with an accurate view of their incoming claims, rather than having to wait for a long tail of claims to uncurl.

“Cyber is still predominantly a short tail book, and claims in our market tend to materialise within a policy or calendar year,” says Clarke. “Added to this, carriers do not yet have resilience through scale, because the pot of cyber insurance premium that these firms are writing is not yet big enough.”

Outside the standalone cyber market, there has been a shift, as insurers have sought to distinguish and divest “silent cyber” exposures from within property and all-risks policies that were designed with traditional, non-cyber risks in mind.

Since 2019 this has been area of regulatory focus in the UK, with insurers increasingly keen to ensure cyber exposures are not lurking within other business, and to move them from one pot to another.

This has been a rude awakening for many companies that have never bought standalone cyber coverage and relied on their traditional policies. The result has been a growing number of so-called write-back products that carve back uninsured exposures that arise from such exclusions, sold as add-ons to a property policy with the same terms and conditions. Such add-ons can be provided by the same or a different insurer, but will fall under cyber business.

“Clients have got to find a new budget for something they’ve always had covered,” says Hammond. “Risk managers have got to get their heads around a new insurance market, with different brokers and different insurers. Take-up has been slow, but we’re trying to convince them that they need this.”

A write-back is generally cheaper than a standalone cyber policy, but as a halfway house, its cover is narrower, and includes none of the other benefits, including IT security and consultancy services, that the standalone specialty market covers typically provide.

However, brokers agree it will provide an entry route for new business, as buyers become accustomed to buying cyber cover, and progressively realise they may need broader protections in place.

“Silent cyber is a huge challenge for our clients but at the same time it is also an enormous opportunity for the cyber market,” says Clarke. “Our market can truly now have an influence across many different lines of business, and once again show its value sitting alongside more established types of insurance.”

He is upbeat about the cyber market’s prospects, despite the risks. “In this market’s short history we’ve never had a rising rate environment like we have now,” say Clarke. “And whilst, again, this represents a challenge for out clients, we at Aon are doing everything we can to mitigate these effects. One inevitable positive effect will be through new entrants coming through, providing a chance for innovation and, ultimately, more choice for insureds.”